Get APLawrence.com by RSSMore ssh ideas
Author: Dirk Hart
Date: Thu Feb 24 23:10:38 2005
Subject: More ssh ideas
A friend recently got 'rooted'. He was using ssh (not ssh2). He was getting pages on his phone and processes were dying and such, so he installed "chkrootkit" which is a program that checks your system to see if there is any of a number of root kits installed. He had SuckIt installed on his machine and now has a server to rebuild
Unfortunately he used ssh to login and check his other server, so now he has 2 servers to rebuild.
Since I noticed my /var/log/secure file getting large at the beginning of the month I've made some changes to sshd_config:
1. PermitRootLogin no Users just have to login to an unprivileged account, then su if they want root access.
2. Banner /etc/banner This file is displayed after you enter your user name. I changed the banner file as below:
password:
$
Unauthorized use of this service is strictly prohibited. Unauthorized
attempts to use this service, upload information or change information
on this service are strictly prohibited and may be punishable under the
Computer Fraud and Abuse Act of 1986 and the National Information
Infrastructure Protection Act.
I put "password:" and "$" in the banner to trip up the automated scripts these guys appear to be using. I don't know if it works, it just seems like a good idea.
3. DenyUsers adm admin apache bin daemon dovecot ftp games gopher halt lp mail mail null mysql named news nfsnobody nobody nscd operator pcap postgres rpc rpcuser rpm shutdown simon smmsp squid sshd sync uucp vcsa webalizer
A list of all the folks who cannot login.
4. AllowUsers boopy A list of all the folks who can login, just in case I left anyone out of the previous list. Only boopy gets in.
Finally, I populated hosts.deny with the apparent IP addresses of the worst offenders:
ALL: 222.237.79.237\
210.68.8.169\
68.58.89.36\
200.164.92.234\
210.75.224.29\
81.168.255.137\
64.151.75.92\
148.245.97.130\
131.202.163.23\
162.39.201.74\
67.172.114.3\
206.165.120.54\
222.122.60.42\
211.136.90.75\
.
.
.
141.28.18.200
ALL services are denied to these IP addresses. Well, I guess the well trained hacker changes his IP address often, but since I made this change login attempts are down to 10% of what they were. I add them 1 per line so I don't go berserk maintaining the list. Note that the \ character 'continues' the line.
5. I enable VerifyReverseMapping, but I haven't seen this work. It doesn't deny me access from the IP address I always use. It sounds like people who fail a 'reverse IP address' test of some sort (phony IP addresses?) get rejected.
Is there a way to automatically populate hosts.deny? How would I keep my own IP address out of there?
Any other security suggestions?
(On 3/26/2005 Dirk added this:)
Here's a little widget I wrote this morning for summarizing my secure log. Way better than actually reading it. I take these results and update /etc/hosts.deny. I have most of South Korea and Taiwan blocked now.
[root@mammoth tmp]# cat test
grep 'Failed password' /var/log/secure|cut -d ']' --fields=2|cut -d ' '
--fields=9|uniq -c|sort -nr
[root@mammoth tmp]# sh test
707 209.253.78.9
600 193.178.210.35
115 217.34.37.166
107 63.107.208.110
107 220.95.215.148
107 161.53.191.13
90 81.169.137.164
9 211.184.70.140
9 207.207.186.182
8 62.193.236.45
8 208.13.106.89
1 211.90.27.133
1 211.157.102.10
Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)
| Views for this page | ||||
|---|---|---|---|---|
| Today | This Week | This Month | This Year | Overall |
| 7 | 36 | 141 | 1,444 | 9,350 |
/Forum/dhh1.html copyright February 2005 Dirk Hart All Rights Reserved
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Your ad here - $24.00 yearly!
larryi@ccamedical.com SCO OS5, Debian Linux, RedHat Linux, MySQL, Apache, AJAX development using dXport/dL4/Unibasic, Windows Connectivity, Sharing Resouces, Automation, Shell Scripting
http://thatitguy.com Business networking servers, Linux and Unix experts. In business since 1997! Windows and Exchange to Samba and Scalix migration experts.
http://bcstechnology.net Full service Linux & UNIX systems integrator; Windows to UNIX/Linux Client-Server Specialist; Secure E-Mail & Website Hosting; Thoroughbred Software Developer; Custom Industrial Automation; Hardware & Electronics Experts; In Business Since 1985.
Related Posts
Wed Mar 2 13:23:29 2005: Subject: anonymous
Yap, pretty sure I'm going to ban all of Korea and China from ssh on my server.
--dhh
Wed Mar 2 23:18:16 2005: Subject: TonyLawrence
There's a pam module for blacklisting: http://www.hexten.net/sw/pam_abl/index.mhtml
Might be useful..
Fri Mar 4 00:20:06 2005: Subject: VerifyReverseMapping adanac
This is what you might see in your log if VerifyReverseMapping fails:
Mar 3 17:46:34 mammoth sshd[26428]: Illegal user jordan from 205.246.18.240
Mar 3 17:46:34 mammoth sshd[26428]: Address 205.246.18.240 maps to monolith.vet
eransadvantage.com, but this does not map back to the address - POSSIBLE BREAKIN
ATTEMPT!
Wed Nov 2 00:25:44 2005: Subject: anonymous
Actually what I've done to date is I put together a list of IP blocks I deny SSH access to by default on every system I build. The list started with all Non-Arin IP blocks and was peared down as I found places where I was a little too aggressive. I also wrote a perl script which I cron to run every couple of minutes which parses my /var/log/secure file for SSH login failures. It then adds new deny entries to the /etc/hosts.allow file to block those IP address's if the number of failures exceeds a preset number in a preset time interval. IE: by default, if there are more than 10 login failures from the same IP address and the failures are less than 5 seconds apart on average, then it is added to host.allow automatically because it is considered a brute force attack. If there are more than 50 failures in total, regardless of the interval, the ip address is added. The script also adds a header block to the hosts.allow file where you can add in a "Whitelist" of IP addresses which will always be first in the list and therefore can never be denied.
Since I added these measures, the number of failed login attempts on any given day on my servers has dropped from over 7000 to less than a few hundred on a bad day.
If anyone is interested, there is a project on sourceforge which is similar to what I have written but is far mor feature rich. It is however written in python and I have no intention of ever installing python on any of my servers unless I absolutely have to. If anyone is interested in a copy of the script, feel free to e-mail me at cgardiner@quadrix.com.
Wed Jan 18 19:52:12 2006: Subject: Here's what I use on FreeBSD apex
Sun Mar 26 02:26:10 2006: Subject: Furth more b0x
noob Debian user here
My 2 cents
/etc/cron.hourly/sshd_deny
grep 'Invalid user' /var/log/auth.log* | cut -d ']' --fields=2 | cut -d ' ' --fields=6 | uniq -dc | sort -nr | awk '{ print "sshd: " $2 "/255.255.255.255" }' > /etc/hosts.deny
Add your comments